Saturday, 31 January 2015

I
was interviewed last Thursday evening on Radio 5 Live.I had been asked to comment on the news that
CDs containing information from three sensitive police inquiries, two of which
involved‪ highly controversial shootings in London, have gone missing after
being sent through the post.

The
information covers probes into the role of the police in the deaths of three
men – Mark Duggan, Azelle Rodney and Robert Hamill.

Ministry
of Justice officials realised the discs had gone missing three weeks ago. A
member of staff has since been suspended.

Duggan
was shot by police in 2011 while Rodney died in similar circumstances back in
2005. The third case related to the 1997 murder of Hamill by loyalists in
Northern Ireland, which his family and campaigners claim involved police
collusion.

Each
case involved testimony from witnesses, including police officers, who were
offered anonymity. It's unclear whether or not copies of the missing documents
included the personal information of witnesses.

Preparing
for the interview, the only useful background information I could find was
contained in a BBC news report. Subsequently I noticed that the Ministry of
Justice had released an official statement, providing a little more material –
but answering none of the questions that the privacy community really wants to raise.

Were
the discs encrypted? If they were, I would have expected the MoJ to have
said so by now. Instead, the official statement ominously comments that: “It is essential to take the most precautionary view and to
take all necessary steps to safeguard the interests of anyone whose information
could be disclosed. Police and other agencies have undertaken their own risk
assessment, and have identified and taken any steps necessary to ensure the
protection of officers.”

From this, I am assuming that the material was not encrypted. It
might have been password protected, but that’s not the same as encryption.

I also asked why it was decided to send such sensitive information by post, given that
anyone with even basic security training would be well aware of at least some of the secure file transfer
technologies that have been available for many years.

Just
what sort of risk assessment took place before the material was sent?

And even
if the discs had to be physically delivered, why were they not couriered to the
recipient?

My
final point was that the cost of a courier was highly unlikely to exceed
£180,000, an amount that the ICO has, on two occasions in the past year, fined
the Ministry of Justice and the Department of Justice in Northern Ireland for
their poor data protection handling practices.

Given
the huge array of security policies that Government Departments have in force
that make whatever happened indefensible, I struggle to understand why, on this occasion, public
officials were not given the right tools to enable them to do their job
properly.

Yes,
I understand that someone has been suspended over the incident. But is this
person just the poor wonk that popped the discs in the post, or is it
their manager, who is (quite possibly) much more accountable for the incident, because they failed to ensure that their staff had the tools that were
necessary to enable them to do their job?

Lots
of questions. The privacy community (and the victims of this deeply troubling
incident) are looking forward, with considerable interest, (and no doubt a
certain amount of trepidation) to learning the answers.

Friday, 30 January 2015

As
forecast in my last blog, the coolest data dudes in town assembled during the evening of Data
Protection Day at Live Nation’s incredible offices in Islington for a session
on profiling – and the data protection pitfalls.

Is
there another building in town that lets its visitors arrive in the basement
meeting rooms by way of a slide, rather than the stairs? I kid you not.

Expertly
chaired by Live Nation’s international data governance guru Heike Norris, she
really set the room at ease with her opening remarks. You know you’re in safe hands when the host’s first words are “OK, has everyone got a drink?”

I
had a good look at the audience and was impressed – perhaps only a third were
the usual data protection suspects. The others were from companies that didn’t
employ specialist privacy professionals – but they were there because profiling
formed an extremely important part of their business models, and they were
really concerned at what might happen should the regulatory regime turn against
them.

It's really refreshing to report that privacy sessions are (at long last) attracting the interest of people who aren't privacy specialists.

But,
to business.

The
business of profiling.

And
it is a very serious business.

A
panel of expert speakers comprised Richard Cumberley from Linklaters,
Ticketmaster’s expert in marketing and analytics Sophie Crosbie, The Royal Mail’s Stephen McCartney, and Webber Shandwick’s John Mcleod. These are
serious movers and shakers. And a lot of
what they had to say met with violent nods of agreement from the audience –
which included a considerable smattering of exICO folk who, having done their
time in Wilmslow, had now moved south to ply their trade.

The
principal points to take away from the main session, and from the private chats
after the formal proceedings had ended, were that:

In Europe, the concept of
privacy has become an absolute right – but by stealth.This is wrong. There ought to have been a far
more open public debate before it was decided that privacy should be conferred
the status of a fundamental right.

Europe’s Governments
generally believe that profiling is wrong – unless it’s Governments that are
doing it. And there are increasing signs that Governments want to do even more
profiling of their citizens. Not only for national security purposes, but also for
a whole range of other purposes which, because they are not “commercial”, are
considered “benign”.

With respect to current marketing
practices, today’s customers demand relevance. They expect organisations to
know enough about their customers to send them compelling offers. To that
extent, customers know and (mostly) accept the value exchange that currently
exists, when personal information is supplied in exchange for “stuff”.

Most marketing companies
behave responsibly and use ethical profiling techniques on the datasets that
are available to them. However, a small number of companies have gone further,
and in ways that customers are uncomfortable with. So there is a need (for
them) to explain the information value exchange in clearer terms.

Customers aren’t
interested in learning about the complicated business models that require so
much personal data to be shared. So, if a customer is unwilling to engage sufficiently
with a data controller to offer their informed consent to profiling, there will
have to continue to be more circumstances where it is in the organisation’s
“legitimate interests” to profile them.

Customers generally don’t
experience privacy – until they lose it. But when customers have lost it, and
object to the processing that caused the loss of their privacy, organisations
generally don’t delete the information that the customer was uneasy about the organisation
knowing about them in the first place. (But they will stop marketing them.)

Live
Nation certainly gave everyone who attended a great memory of this year’s Data
Protection Day. They’re serious about respecting the rights of their customers
– and about getting profiling right. Let’s hope that no new regulatory
obstacles are created that have the effect of making it even harder for them to
give their customers what they really, really want.

Wednesday, 28 January 2015

The
ICO is always trying out new and innovative ways of celebrating Data Protection Day.

This
year, the commemorations commenced with a short video from Commissioner Graham,
deep in the nerve centre of the ICO’s news office, explaining that throughout
the day his staff will be tweeting about many of the exciting initiatives that
are underway within (and beyond) his office to improve our information rights.

I
be commemorating the day by attending a meeting of top data dudes at a discussion on profiling, organised by our chums at Live Nation in Central London, about which I’ll
report later.

Meanwhile,
all I have to offer, prompted by the Commissioner’s appearance this morning, is
the following ditty:

Chris
Graham’s at the presenter’s desk of ICO news

He’s
explaining (in very general terms) just how not to abuse

The
trust of individuals who have so much to lose

When,
from servers, thanks to breaches, their personal info spews

His
mighty team of advisers offer a helping hand

Dishing
out compliance advice to folk across the land

Listening
to complainants and getting them to understand

That
despite a heavy workload, their staffing levels won’t expand

Meanwhile,
if you listen, rumours spread about a new law

That
the Europeans are drafting but of which many Brits guffaw

Is it a "Di-Regulation" along the lines that they forsaw

In which some of the Articles still contain a fatal flaw?

But
on this great occasion, our differences fall away

Respect
the privacy loonies, let no smirk display

On
our faces as we raise our glass and, as one, pray

That
we’ll still be in gainful employment come next Data Protection Day

Tuesday, 27 January 2015

A
smattering of the usual suspects met under the auspices of the Information
Assurance Advisory Council in Covent Garden today to consider the last great
frontier – dealing with human aspect of information security.Just how do companies impose workable
constraints on the 'Mark 1' human being?

With
great difficulty, came the considered reply.

When
dealing with remote access to an organisation’s systems, the “new firewall” is
identity management. The challenges of identity verification and privilege
management are immense. What realistic controls can be placed on staff (and
contractors) when the organisation is at the same time, trying to give the
impression that it trusts them?

For
the public sector, additional challenges are presented given the aggressive
pace of the hugely ambitious digital agenda programme, which simply increases
vulnerability every day. This is compounded by a culture of zero tolerance for
mistakes by ministers and those with a public accountability role. But this
leads to decisions on how to react to data breaches being made in ways that
detract from possibly more important issues. The public sector is creating
vulnerabilities at an exponential rate because of the way it chooses to do
business.

There
was not a meeting of minds on the best way of addressing the “human factor”.
The security professionals stress the need for managers to ever more closely
scrutinize the actions of their direct reports. Often, with scant regard for
the legitimate privacy rights and aspirations of staff, who are human beings with
human rights in their spare time, if not while at work.

There
are some encouraging signs, though.

Government
security clearances are being administered less frequently by teams of
ex-policemen and former spooks, and more frequently by teams of ex-teachers and
social workers. This new breed of clearance officer is likely to be more in
tune with the people they will be clearing. And they will be more able to
assess an applicant in terms of their ability to conform to norms of today’s
generation, rather than compliance with the culture of those of previous
generations.

Technical
controls are (oh so gradually) being implemented within organisations, meaning
that security is being built into electronic systems, rather than being bolted
on to them. Yes, there is a huge distance to travel to security nirvana, but we
have to be realistic. Staff (usually) want to do their jobs efficiently, and to
a high standard. They expect to be given appropriate tools to do the job, and
increasingly resent having to rely on “work arounds” simply because the
organisation is not capable of living up to the high standards it espouses in
its security policies, etc.

Monday, 26 January 2015

Often, a dedicated core of professional staff will work with
teams of volunteers, many of whom may cease volunteering after a few months, realising
that it’s just not for them. Other volunteers remain with the organisation for
years – and can feel a far greater sense of affinity with its aims and
objectives than do some of its staff. Many volunteers process considerable
amounts of sensitive personal information about clients. But, information
governance controls can be extremely hard to implement at the local level.

How
can the professional staff within such organisations engage with these
different types of volunteers and get them to follow good data handling
practices?With some difficulty,
according to a recent ICO report.

A
quick glace at the ICO’s website enables the casual reader to appreciate that a
report has just been published about the data handling practices of a
number of charities and voluntary groups that work with either victims of crime
or people that are associated with victims of crime.

Evidently,
“many organisations” are meeting the difficult challenges that are faced. However,
there are still a number of areas where they could be doing “more to keep
people’s information secure.” These are “important areas that need addressing.”

What
then follows is a list of three areas of best practice and three areas where
improvements are required in a number of priority areas. The areas of best
practice are described in 61 words. The areas where improvements are required
are described in 100 words.

So,
no real cause for concern, then.

Or
is there?

Because
when the committed reader reads the actual report, a slightly different story emerges.

If
all were well and good, I might expect the actual report to spend about twice
as long referring to the areas for improvement than it does on the areas of
good practice. That’s what I’ve been led to assume, after reading the blurb.

Alas,
this is not the case.

The
areas of good practice can described on a single page.

But
it takes 12 pages to set out the areas for improvement, which should be
considered as a priority for all VSA organisations.

The
ICO is keen to spell out what is going wrong, but not in a manner that draws
too much attention to the casual reader (i.e. the reader that doesn’t read the
actual report).

I
only hope its message – when expressed directly (and possibly privately) to the VSA organisations - is a lot clearer than the general statement on
the website. The public message doesn’t draw sufficient attention to the
serious issues that do need to be addressed.

About Me

I'm Martin Hoskins, and I started this blog to offer somewhat of an irreverent approach to data protection issues. As time has passed, the tone of my posts have become more serious.
I'm not a "high priest" of data protection. I focus on the principles of transparency, fairness, practicality, risk-assessment and pragmatism when dealing with issues, rather than applying every aspect of every data protection rule.
While I may occasionally appear to criticise various organisations with which I am or have been associated, I write here in an entirely personal capacity, so these comments should never be taken to represent anyone else's views on what I write about.
I occasionally tweet as @DataProtector.
You can contact me at:
info@martinhoskins.com.